API monitoring
Our research focuses on the application of virus tests in the virtual environment and the subsequent evaluation of virus behavior in order to detect viruses without the use of signatures. This is done through the use of API monitoring.
API monitoring
An API(Application Programming Interface) is a group of functions that is used by components, applications, operating systems and so on. APIs are generally made up of single or multiple DLLs (Dynamic Link Libraries) with specific functions. DLLs are files containing functions called by the Windows OS. The functions contained within DLL files are API functions.
By monitoring the API functions used by an application we can analyze the activity of the application in real time. Actually we monitor only API functions related to actions peculiar to viruses. And we can make decisions as to whether a program is a virus from values delivered by API functions.
Virus judgment criteria
Standard mail virus infections are identified by the following three types of activity:
- The sending of many emails in a short period of time
- The change of important system files
- The shutdown of anti-virus software functions
The following three functions can also be used by ordinary applications and a combination of various functions in unison needs to be established in order to make a judgment as a virus:
- Change, making or deletion of registry
- Changing non- important system files
- Making of network connections, opening of connection ports
Method
Since computers easily become infected with viruses a VMware workstation running Windows XP was used. VMware is a virtual PC that can be recovered again and again every time it is infected. The virus detection program is used in such a way that it can only connect with the VMware and thus cannot propagate viruses outside the system. A false DNS and mail server were established in order to simulate a real environment.
We are currently carrying out experiments in virus detection using this system.
